Windows 8.1 backups can leave sensitive files exposed to Internet

The handy File History feature in Windows 8 and 8.1 is a convenience and a time-saver, but if set up without security in mind it can expose sensitive files to anyone on the Internet, security pros were told at a conference.

When picking where File History sends backups of documents, photos and the like, it's a must to be sure that the storage chosen doesn't allow for anonymous access, Kenneth Johnson, a senior associate with KPMG, warned an audience at (ISC)² Security Congress.

It's not a flaw in the Windows feature, he says. In fact it's a pitfall that Microsoft tells how to avoid in its instructions, but it's nevertheless easy to find files exposed in this way on the Internet.

For example, in one case, Johnson says he found on the Internet documents that detail corporate goals and employee evaluations that were backed up from a machine used by the company's former CEO. In another he found a doctor's notes about individual patients.

File History regularly backs up documents, photos, videos, music and Desktop folders so if the originals are lost, damaged or deleted, they can be quickly restored. The history is also useful for finding earlier versions of files.

Setting up File History requires naming a place where the backups are stored, such as a separate drive or network attached storage. If Internet-accessible NAS is chosen and it allows for anonymous FTP, then search engine crawlers can find the files. Using a search engine to find a File History signature - \configuration\catalog1.edb yields pages of individuals' backed-up files.

Lopping that signature off the URL and searching again moves the searcher up the file structure of the victim's storage, potentially exposing a wealth of backed up files.

If File History violates corporate policies, infosec pros can disable it altogether via a group policy object as described by Microsoft.

If businesses decide to use File History and make sure the chosen storage is secure, sensitive data can still wind up accessible to anyone on the Internet, Johnson says.

For example, if an employee copies files to a thumb drive, downloads them to a non-corporate machine that backs up to the wrong type of NAS, they are exposed, he says. In this case supplemental controls such as policies that block downloads to removable media, can help remedy the situation, he says.

Johnson says he stumbled on this weakness while researching another issue. He has found email addresses for some individuals with exposed files, and he contacted them. "If I had my data exposed I'd at least want someone to tell me," he says.

Most of them didn't respond, some corresponded with him to find out more and one berated him for snooping. (Johnson says he doesn't actually drill down into the files themselves, just to their names, which can reveal a lot about what's in them.) He's checked back on the stored files of some of those he told about their problem and many of them are no longer available, so apparently they took steps to deal with the leaks.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.